pool/python39
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't fool with base64

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python39?expand=0&rev=16
This commit is contained in:
Matej Cepl 2020-07-20 15:54:49 +00:00 committed by Git OBS Bridge
parent 322af6478b
commit bfca21eba6
3 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CVE-2019-20907_tarfile-inf-loop.patch
View File

@ -41,16 +41,3 @@ Add a check for length = 0 in the _proc_pax function to avoid running into an in
+++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst +++ b/Misc/NEWS.d/next/Library/2020-07-12-22-16-58.bpo-39017.x3Cg-9.rst
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907). +Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).
--- /dev/null
+++ b/Lib/test/recursion.tar.asc
@@ -0,0 +1,10 @@
+YmNhbGxlcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAAAAAAAMAAAAAAA
+AAAwAAAAAAAAADEAAAAAAAAAAAAAADAAAAAAAAAAAAAAADAwMjc1NQAgZwAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwMAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAADAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw
+IFg9

5
python39.spec
View File

@ -102,6 +102,8 @@ Source10: pre_checkin.sh
Source11: skipped_tests.py Source11: skipped_tests.py
Source19: idle3.desktop Source19: idle3.desktop
Source20: idle3.appdata.xml Source20: idle3.appdata.xml
# For Patch 32
Source32: recursion.tar
Source99: python.keyring Source99: python.keyring
# The following files are not used in the build. # The following files are not used in the build.
# They are listed here to work around missing functionality in rpmbuild, # They are listed here to work around missing functionality in rpmbuild,
@ -140,6 +142,7 @@ Patch29: bpo-31046_ensurepip_honours_prefix.patch
Patch31: bsc1167501-invalid-alignment.patch Patch31: bsc1167501-invalid-alignment.patch
# PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com # PATCH-FIX-UPSTREAM CVE-2019-20907_tarfile-inf-loop.patch bsc#1174091 mcepl@suse.com
# avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907) # avoid possible infinite loop in specifically crafted tarball (CVE-2019-20907)
# REQUIRES SOURCE 32
Patch32: CVE-2019-20907_tarfile-inf-loop.patch Patch32: CVE-2019-20907_tarfile-inf-loop.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: fdupes BuildRequires: fdupes
@ -397,7 +400,7 @@ other applications.
%patch32 -p1 %patch32 -p1
# For patch 32 # For patch 32
python3 -mbase64 -d Lib/test/recursion.tar.asc > Lib/test/recursion.tar cp -v %{SOURCE32} Lib/test/recursion.tar
# drop Autoconf version requirement # drop Autoconf version requirement
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac

BIN
recursion.tar Normal file
View File

Binary file not shown.